 |
atreus
Beginner
Joined: 22 Mar 2005
Posts: 21
|
 Posted: Wed Apr 13, 2005 9:12 am
Abusing another player's triggers
|
Okay, consider this:
You make a trigger to highlight and catch part of a line from mud input to inform your party of what's happening. Let's say you have a skill that has a special effect of stunning a monster every now and then and you want to inform your party when this stun special occurs so that they know not to flee from combat for at least as long as the stun lasts.
You know the monster name can consist of an arbitrary number of words (though typically between 1-4) and you want to catch the full name.
So, you make a trigger, something like this:
| Code: |
Pattern:
^(&Monster) seems to be totally confused and unable to fight at all!
Value:
#SEND {say @Monster stunned!} |
Now, what if another player pulled a little prank on you and did something like this while standing in the same room with you:
| Code: |
| Atreus says ';keep clear;give eq to atreus;quit; seems to be totally confused and unable to fight at all!' |
Knowing that ; is the default command delim character in the mud. If you haven't changed your delim character, the command your zMud would end up sending to the mud would be:
say Atreus says ';keep clear;give eq to atreus;quit;
or, in other words, your character would say "Atreus says '", after which the delim character kicks in and makes you relinquish all your worn equipment to me and then quit the game. If you were idling at the moment, you might not even know what happened when you got back. You'd just stand there (provided you have auto-login and reconnection on disconnect enabled), without any eq on.
And the abuse is not limited to just losing your eq. What if that prankster instead said something like (these are just examples of course, and the actual commands would vary from mud to mud, but you get the point):
| Code: |
| Atreus says ';suicide;yes; seems to be totally confused and unable to fight at all!' |
Nasty, eh?
Now, my question is, what would be a good way to mark certain characters as illegal and strip them from received mud input before sending anything back to the mud, thus removing the possibility of such abuse.
Of course, I could just go ahead and change my delim character, but that's security through obscurity and only a matter of time before someone figures it out - if someone really wants to.
.atr. |
|
|
|
|
Private
Adept
Joined: 10 Jan 2002
Posts: 264
Location: USA
|
Posted: Wed Apr 13, 2005 9:41 am
|
use $ at the end as well to mach the ! as the last character, the say would have !' at the end and would not match.
Also on the mud i play most messages like that are in grey whereas says are cyan (we can also change our color schemes via the mud), so making this match via color as well would help.
the problem i've found is even on a color matched ^begin end$ trigger, it is fooled when you whois someone (user set descriptions can be colored and formated exactly as mud messages) or when reading the note boards the same can happen, in those cases my whois alias simply disables parsing starting at the beginning of whois and re-enables at the end of whois, same for note reading. |
|
|
|
|
Kiasyn
Apprentice
Joined: 05 Dec 2004
Posts: 196
Location: New Zealand
|
Posted: Wed Apr 13, 2005 2:27 pm
|
^(&Monster) seems to be totally confused and unable to fight at all!
Value:
#if ( %match( @Monster, ";" ) ) {
#SEND {say Yeah right}
} {
#SEND {say @Monster stunned!}
} |
|
|
|
|
DeReP
Adept
Joined: 14 Jun 2003
Posts: 222
Location: Chile
|
Posted: Wed Apr 13, 2005 2:52 pm
|
I tried your exact example and ended up sending everything in 1 say with the seperators in it, so nothing really happened.
I do remember some time ago someone talking bout this same problem. |
|
|
|
|
asm
Wanderer
Joined: 19 Jul 2004
Posts: 68
|
Posted: Wed Apr 13, 2005 11:18 pm
|
For the mob name....#REGEX
#REGEX is beautiful, I'm considering perl just because of it. You can do so many things with it (Including not detecting it if it has semicolons in it), and split up different parts along %1, %2, etc, pretty much any way you like. Only, \w seems to be bugged or something...I can only get it to match a single character, and it's supposed to be the word delimiter...
For the %s...An expression like (.+ attacks (.+)) with 'something attacks some mob'
%1 equals: something attacks some mob
%2 equals: some mob
Play around with it, and you can get it to only match letter characters...Note that .+ is basically the * of regular expressions, so it will match semicolons. |
|
|
|
|
Maelstrom
Apprentice
Joined: 10 Feb 2005
Posts: 158
|
Posted: Thu Apr 14, 2005 1:28 am
|
As for \w not working that sounds right to me...
| Quote: |
\w Match a "word" character (alphanumeric plus "_")
+ Match 1 or more times
|
What your looking for is actually then \w+ |
|
|
|
|
asm
Wanderer
Joined: 19 Jul 2004
Posts: 68
|
Posted: Thu Apr 14, 2005 1:52 am
|
Oh, word character....Hm, you sure about that? On the pattern test thing, it puts "abc" for it, not just "a" or something of the like....And, as such, sometimes the expression generated for the test by zmud doesn't work...
|
|
|
|
|
Kiasyn
Apprentice
Joined: 05 Dec 2004
Posts: 196
Location: New Zealand
|
Posted: Thu Apr 14, 2005 3:58 am
|
O_o my way was easier...
|
|
|
|
|
atreus
Beginner
Joined: 22 Mar 2005
Posts: 21
|
Posted: Thu Apr 14, 2005 11:21 am
|
My original post was as much meant to get advice on how to prevent such situations as it was to try to wake people up to the potential dangers of poorly made triggers.
| DeRep wrote: |
| I tried your exact example and ended up sending everything in 1 say with the seperators in it, so nothing really happened. |
Then you either have parsing off or something or just use a different delim as the client (or the mud) can't really know when a certain character is supposed to be printed and when parsed (unless you tell them). Of course different mud types may also affect the behavior.
| asm wrote: |
| Play around with it, and you can get it to only match letter characters...Note that .+ is basically the * of regular expressions, so it will match semicolons. |
Well, .+ is not exactly the same as * since the translation of ".+" is to "match one or more of any character(s)" while "*" translates to "zero or more of any character(s)"... or at least that is true in perl, not sure how accurately zMud follows the syntax.
.atr. |
|
|
|
|
Kiasyn
Apprentice
Joined: 05 Dec 2004
Posts: 196
Location: New Zealand
|
Posted: Thu Apr 14, 2005 11:34 am
|
| Kiasyn wrote: |
^(&Monster) seems to be totally confused and unable to fight at all!
Value:
#if ( %match( @Monster, ";" ) ) {
#SEND {say Yeah right}
} {
#SEND {say @Monster stunned!}
} |
this will check if the @Monster contains ';' and won't perform the command if it does. |
|
|
|
|
Zugg
MASTER
Joined: 25 Sep 2000
Posts: 23379
Location: Colorado, USA
|
Posted: Thu Apr 14, 2005 5:35 pm
|
To address your original post concern, you should be aware that zMUD already does some things to limit the ability for other players to abuse your triggers.
When using normal zMUD triggers, things like * do NOT match any special characters such as ; or #. So, when using normal zMUD triggers, you are not opening yourself to abuse by other players. This has been a feature of zMUD triggers since the very first version.
The %* pattern circumvents this protection and will match any character.
When you use a syntax like &Monster, zMUD internally should be using the * wildcard, so you should also be protected in that case.
When you use regular expressions, there is NO PROTECTION. So the .* in a regular expression (which matches zero or more characters) will match anything and you might be subject to abuse.
There are some functions like %quote that you can also use to "quote" any special characters to prevent abuse. This will put a ~ character in front of special characters like ; so that they don't get parsed and executed. |
|
|
|
|
atreus
Beginner
Joined: 22 Mar 2005
Posts: 21
|
Posted: Thu Apr 14, 2005 10:04 pm
|
Here's what I finally ended up with and it works beautifully (it's a different trigger, but the principle is the same):
| Code: |
Pattern:
^You just got ([%w%s]) better in ([%w%s]).$
Value:
#send {party say %1 better in %2} |
Where the mud input can be something like any of these lines:
| Code: |
You just got slightly better in leatherworking.
You just got slightly better in furious assault.
You just got a lot better in meditation.
You just got a lot better in form of a spider. |
so both matched variables can either have just one word or multiple words in them. I believe that [%w%s] should be sufficiently secure since %w only matches word characters and %s only matches white space. Right?
So, using that on the original trigger (where the monster name can have more than one word in it) it would be:
| Code: |
Pattern:
^([%w%s]) seems to be totally confused and unable to fight at all!$
Value:
#SEND {say %1 stunned!} |
Am I missing anything here?
.atr. |
|
|
|
|
MattLofton
GURU
Joined: 23 Dec 2000
Posts: 4834
Location: USA
|
Posted: Fri Apr 15, 2005 2:48 am
|
No, it wouldn't (unless, of course, Zugg tied [] patterns into the Use Wildcards in {item1|item2|itemN} patterns property in Preferences). "[%w%s]", as far as I know, will only match 3 characters--"%", "w", and "s". It will match them in any uninterrupted combination and it doesn't have to include all three. It will not match whitespace, it will not match any other alphabetic character other than w or s, and it will not match upper-case W or upper-case S.
The correct syntax for that would be "[a-zA-Z ]"--"a-z" for the lower-case letters, "A-Z" for the upper-case ones, and " " for whitespace. If you want to capture ZMud's special characters, I believe you need to use a quote character (ie, "%" would become "~%" because % is a special character.) |
|
_________________
EDIT: I didn't like my old signature |
 |
|
|
Maelstrom
Apprentice
Joined: 10 Feb 2005
Posts: 158
|
Posted: Fri Apr 15, 2005 2:52 am
|
I tested it and it worked fine for me... although I couldnt say for sure *why* is worked.
|
|
|
|
|
Zugg
MASTER
Joined: 25 Sep 2000
Posts: 23379
Location: Colorado, USA
|
Posted: Sat Apr 16, 2005 12:23 am
|
The wildcards work within the [] as of the more recent v7.x versions that added regular expression triggers.
|
|
|
|
|
|
|
|
